-
Notifications
You must be signed in to change notification settings - Fork 8
/
queries.json
85 lines (85 loc) · 3.9 KB
/
queries.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
{
"name": "Brimcap",
"items": [
{
"name": "Activity Overview",
"value": "count() by _path | sort -r",
"description": "Shows a list of all Zeek streams in the data set, with a count of associated records"
},
{
"name": "Unique DNS Queries",
"value": "_path==\"dns\" | count() by query | sort -r",
"description": "Shows all unique DNS queries in the data set with count"
},
{
"name": "Top Domains",
"value": "_path==\"dns\" | count() by domain:=join(split(query,\".\")[-2:],\".\") | sort -r",
"description": "Displays the domains appearing most frequently in DNS queries"
},
{
"name": "Windows Networking Activity",
"value": "grep(smb*,_path) OR _path==\"dce_rpc\"",
"description": "Filters and displays smb_files, smb_mapping and DCE_RPC activity"
},
{
"name": "HTTP Requests",
"value": "_path==\"http\" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c",
"description": "Displays a list of the count of unique HTTP requests including source and destination"
},
{
"name": "Unique Network Connections",
"value": "_path==\"conn\" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq",
"description": "Displays a table showing all unique source:port:destination connections pairings"
},
{
"name": "Connection Received Data",
"value": "_path==\"conn\" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes",
"description": "Shows the connections between hosts, sorted by data received"
},
{
"name": "File Activity",
"value": "filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1",
"description": "Displays a curated view of file data including md5 and sha1 for complete file transfers"
},
{
"name": "HTTP Post Requests",
"value": "method==\"POST\" | cut ts, uid, id, method, uri, status_code",
"description": "Displays all HTTP Post requests including the URI and HTTP status code"
},
{
"name": "Show IP Subnets",
"value": "_path==\"conn\" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r",
"description": "Enumerates the classful networks for all destination IP addresses including count of connections"
},
{
"name": "Suricata Alerts by Severity and Category",
"value": "event_type==\"alert\" | count() by alert.severity,alert.category | sort count",
"description": "Shows all Suricata alert counts, grouped by category and severity"
},
{
"name": "Suricata Alerts by Signature",
"value": "event_type==\"alert\" | count() by alert.signature | sort count",
"description": "Shows all Suricata alert counts, grouped by signature"
},
{
"name": "Suricata Alert Categories by Source and Destination",
"value": "event_type==\"alert\" | alerts := union(alert.category) by src_ip, dest_ip",
"description": "Shows a list of Suricata alert categories, grouped by unique source and destination IP addresses"
},
{
"name": "Suricata Alert Signatures by Source and Destination",
"value": "event_type==\"alert\" | alerts := union(alert.signature) by src_ip, dest_ip",
"description": "Shows a list of Suricata alert signatures, grouped by unique source and destination IP addresses"
},
{
"name": "Suricata Alert Categories by Subnet",
"value": "event_type==\"alert\" | alerts := union(alert.category) by network_of(dest_ip)",
"description": "Shows a list of Suricata alert categories, grouped by CIDR network"
},
{
"name": "Suricata Alert Signatures by Subnet",
"value": "event_type==\"alert\" | alerts := union(alert.signature) by network_of(dest_ip)",
"description": "Shows a list of Suricata alert signatures, grouped by CIDR network"
}
]
}